Beruflich Dokumente
Kultur Dokumente
over Bluetooth LE
-. = "p93849"
-. = "p93849", 2. -9 = "p12465", 29
BCDEF (DℎHII;CJ;. )
K;LMNCL;9
phase. When the client performs handshakes, it uses differ- tracking. This has been previously argued in [28, 25], but
ent credentials each time, which prevents an eavesdropper, due to the simplicity of this randomization technique, we
or an active attacker, from linking those handshakes to each include a formal claim, and its trivial proof below.
other, and therefore prevents tracking the client. This naive
approach has obvious drawbacks. It increases the amount Claim 1. The handshake scheme presented in 2.2.3 is
of storage since the user has to store credentials for all fu- unlinkable according to Definition 1.
ture executions of the protocol. It also limits the number Proof. The unlinkability of this scheme is information
of unlinkable handshakes to the number of pairs of creden- theoretic with a trivial proof. Since each pseudonym picked
tials issued at the setup. It might be good enough when a by the challenger is multiplied by a uniformly drawn random
user is unlikely to deplete its pool of credentials, or if it is element in Zq , each broadcast is indistinguishable from a
occasionally possible to communicate with the group admin- random element to A.
istrator to obtain fresh credentials. In addition, this method
provides revocation and traitor tracing, which help protect It is important to note, that this scheme becomes vulner-
against an adversary that is capable of corrupting users. able to member impersonation in case an adversary corrupts
We can also achieve unlinkability by a simple modifica- a member of the group, as pointed out by Yoon [46]. Given
tion to the previous scheme, based on an idea introduced by a member’s permanent credentials, the adversary can gen-
Huang and Cao [28]2 and later used by Gu and Xue [25]. In- erate new ephemeral credentials that will pass a handshake.
stead of PA and PB being strings that are visible during the This, however, poses a problem even for newer SH schemes
initial message exchange between the two parties, we denote such as [12]. It is therefore important to avoid this method
by PA and PB random points on the elliptic curve. t is once for achieving unlinkability when corruption is likely, and to
again the master secret, and member secrets are computed examine new schemes that provide revocation and traitor
as tracing along with unlinkability. In the meantime, we can
TA = t · PA TB = t · PB stick to the former simple method of issuing multiple cre-
dentials to each member.
PA and PB are never sent as is in the clear. Instead, for
each handshake, Alice picks a random r ∈ Zq and sends rPA 2.2.4 Security parameters
to Bob. Bob picks a random s ∈ Zq and sends sPB to Alice. Security is quantified as the number of basic operations
Alice computes (e.g AES encryptions) needed for recovering the secret key
and breaking the cryptographic scheme.
KA = e (sPB , TA )r = e (PB , PA )rst (3)
Breaking a symmetric-key scheme with key size k requires
and Bob computes 2k basic operations. Galbraith et al. [23] summarize the
equivalence between given symmetric key sizes and the cor-
KB = e (TB , rPA )s = e (PB , PA )rst (4) responding EC group element sizes, required to provide the
same level of security. To enjoy 128-bit security3 we have
so that KA = KB .
to use EC subgroups having size of at least 256 bits, i.e. 32
None of the two learns the permanent pseudonym of the
bytes. It means that we need 32-byte long pseudonyms (for
other. An adversary that eavesdrops on the messages can-
unlinkable handshakes). Compromising for 80-bit security,
not link different handshake attempts by the same mem-
we can use 160-bit (20 byte) elements4 . For string pseudo-
ber. And yet, both parties obtain the same key that can
nyms (first scheme), 20 bytes provide 128-bit security.
now be used for encrypting communication between the two.
This scheme provides information theoretic security against
2
3. SECRET HANDSHAKES OVER BLE
Their particular scheme, however, has a flaw, as pointed 3
out in [43, 47], due to release of the group public-key. Nev- That is the expected level of security nowadays.
4
ertheless, it doesn’t affect our use of the pseudonym ran- This compromise, if affordable, can simplify the proposed
domization idea. implementation, as we will see later.
library for computing pairings5 , it also results in a relatively
In this section we discuss ways to integrate secret hand- simple implementation. Finally, it requires a single pairing
shakes into BLE. Our goal is to reuse, as much as possible, computation by each party, compared to [12] which requires
the existing BLE message exchange. This part examines the three.
ideal vs. the currently available and practical. We look into While we presented some considerations, surveying and com-
ways to reconcile the requirements of a protocol for secret paring different SH schemes was not the central goal of this
handshakes with BLE constraints and with the current state work, as much as demonstrating practicality using an exist-
of supported BLE features on popular mobile devices. ing method. A follow-up work on the subject could greatly
benefit from a thorough comparison of the different schemes
3.1 Challenges available, and in particular, comparing their performance
Implementing secret handshakes over BLE poses several and bandwidth requirements. In the following, we present
challenges. Addressing those challenges at the design stage two methods for integrating the underlying SH scheme into
is one of the main contributions of this paper. Some key BLE.
issues are the limited amount of data that is possible to
transfer between devices over BLE, the fact that we are 3.3 A new pairing mode
operating within the restrictions of a given standard, and Our first proposition for executing the secret handshake
various constraints imposed by existing BLE implementa- procedure over BLE is to reuse the Bluetooth pairing pro-
tions both in hardware and software. In addition, we had to cedure6 . Pairing, in both classic Bluetooth and BLE, es-
pick an underlying cryptographic SH scheme that fits those tablishes a short-term shared key that can be used for en-
constraints. crypted communication between two Bluetooth devices. It
can be used for a short message exchange or to establish a
1. Fitting into BLE packet size: The restriction on long-term key to be used in subsequent sessions.
the packet sizes influences our choice of the underly- BLE currently offers several pairing methods:
ing cryptographic scheme. BLE advertisement packets
can fit up to 39 bytes of payload, with further restric- • Just Works - requires no user interaction7 . Does not
tion on how many of them we can control (31 bytes on protect from man-in-the-middle (MITM) attacks.
the platform we ended up using). The messages ex-
• Numeric comparison - a 6-digit number is displayed on
changed during a pairing process can fit 16 bytes only.
both devices, which confirm the pairing if they both see
This requires choosing a scheme in which little data is
the same number. Protects from MITM attacks.
exchanged.
• Passkey entry - one device displays a 6 digit number,
2. Avoiding Bluetooth pairing: We do not want the
which has to be entered on the other device to confirm
devices to “know” each other, i.e. be paired prior to the
the pairing.
handshake attempt, as this contradicts our use-cases.
Our proposals for integration avoid this. The first one • Out-of-band (OOB) - An external method is used to
is a new pairing mode that replaces the existing BLE provide information to both devices that is used to
pairing with a secret-handshake. The second uses BLE complete the pairing. For instance, NFC can be used
advertisements, which do not require prior pairing in to provide each device with an encryption key.
order to be published or processed by a scanning party.
The numeric comparison and passkey entry methods are
3. Fitting within the standard: BLE communication not very secure, as shown by Mike Ryan [41]. Rather than
is standardized and we want to operate within the ca- relying on existing pairing methods, we propose the secret
pabilities and restrictions of the standard. While the handshake for establishing trust and obtaining a shared ses-
proposition we make in section 3.3 considers a modifi- sion key. Therefore we can simply use Just Works to estab-
cation of BLE, we also aim for a prototype that works lish the Short Term Key (STK), as we do not care about
given the currently available functionality, which we security at this step. The STK establishment process is
present in section 3.4. followed by a pairing confirmation, in the form of Pairing
Confirm messages sent by both devices.
4. Low energy consumption: Power consumption be- We use the Pairing Confirm messages to exchange pseudo-
comes a major issue since we aim for use-cases where a nyms between Alice and Bob by setting the value of the
handshake attempt is frequently initiated. While BLE Mconfirm field to be the pseudonym. This implies that we
itself is designed to consume little energy, we also need have to use 128-bit pseudonyms. At the next step we use
to make sure that our protocol doesn’t add an energy the Pairing Random message to send an encrypted challenge
overhead that is not acceptable for a mobile device. from Alice to Bob by setting Mrand to be the challenge. Bob
computes the response and sends it in the Srand field in its
3.2 Choice of the underlying SH scheme Pairing Random reply message to A, which can now verify
The scheme presented in section 2.2.2 is a good fit for 5
addressing the small packet size, since the parties only ex- One of our contributions is providing a library wrapper for
our platform of choice.
change a pseudonym in the form of a single string (or sin- 6
Not to be confused with the mathematical operation over
gle group element in the case of the modified unlinkable elliptic curves, mentioned in the explanation of secret hand-
scheme). Some other schemes discussed in section 6, such as shakes.
[12, 19], require sending more data to initiate a handshake. 7
Sometimes the user will be asked to confirm the pairing,
Moreover, this scheme is simple to understand, and given a but not to insert a PIN or to compare passkeys.
Master Slave The advertiser sends another packet in response, which pro-
vides enough space to serve a 32-byte string.
Selection of pairing method After exchanging pseudonyms, the parties derive a 128-bit
Pairing Confirm (Mconfirm) - -P
(16 bytes) long symmetric key. Any subsequent communica-
tion for “challenge-response” can therefore fit in one adver-
Pairing Confirm (Sconfirm) - -Q , RℎHII;CJ;Q
tisement packet. As previously mentioned, 80-bit security
requires only 20-byte long pseudonyms, which now can fit in
Parties calculate shared key using pairings – serves as STK a single advertisement packet. This size is also enough for
128-bit security with the first (linkable) scheme.
Pairing Random (Mrand) – S;LMNCL;Q , RℎHII;CJ;P Note that while the scheme in [13] can ultimately require
Pairing Random (Srand) S;LMNCL;P only 3 messages, it would require packing more data into
each message. We avoid it due to the limited advertisement
Figure 3: Secret handshake as a new pairing mode. length, and instead exchange pseudonyms first, and then
Pseudonyms, challenges and responses are embedded in proceed with a challenge and response phase, resulting in 4
already existing fields of messages exchanged as part of messages.
the pairing procedure.
To support simultaneous interaction between many de-
vices, we need to instantiate a separate state machine for
each handshake attempt, and associate it with the Bluetooth
the success of the handshake8 . This process is depicted in device address of the other party. That way, advertisements
figure 3. received from different parties do not interfere with each
However, despite using existing messages, this approach other while executing the protocol. Of course, when using a
requires introducing an additional pairing method and ex- randomized MAC address, we are required to maintain the
tending the BLE stack with new functionality. And since same device address across all protocol rounds.
the pseudonym sizes are limited by the length of the Mcon- While the pairing mode option (3.3) is appealing, it would
firm messages, it enables less than 80-bits security, which is require adopting our proposal and have it integrated into
not acceptable in modern cryptographic implementations. the BLE standard. Currently, it also restricts us to smaller
Achieving the desired security levels would require further security parameters. We chose to implement our prototype
modifications to the pairing protocol. using advertiser-scanner interaction, as suggested in the last
subsection (3.4).
3.4 Advertiser-scanner interaction The scanner-advertiser interaction does not require a Blue-
As mentioned in section 2, BLE supports broadcasting tooth pairing between the devices, and yet enables exchang-
advertisements. Clients can scan and filter advertisements ing small amounts of data by the same method.
of specific types. An advertisement packet allows only 31
bytes of data to be set. With passive scanning the advertised 4. IMPLEMENTATION
data is limited to the contents of one advertisement packet.
With active scanning, the scanner can request more data In this section we discuss various practical considerations
and receive another packet from the advertiser in response. that influenced our prototype implementation. We describe
Windows .NET Bluetooth API currently enables control- the chosen alternative and walk through the implementa-
ling only the Manufacturer Specific Data (AD type 0xFF), tion.
which is 20 bytes. 4.1 Implementation Challenges
This method of performing the handshake doesn’t require
extending the BLE specification. It relies on transmitting Two main factors affect the choice of platform:
data between an advertiser Alice and a scanner Bob9 in a • Custom control over BLE communication.
way that does not require a Bluetooth pairing.
The advertiser broadcasts its pseudonym and, if the client • Convenient implementation of pairings over elliptic
that receives the broadcast in a scanning state is interested curves: pairings are fairly complicated to implement
in performing a handshake, it enters the initiating state. and we would therefore like to begin with an existing,
The client that enters the connection state from an initiating tested implementation.
state acts as a Master, while the advertiser that enters it
The current state of BLE deployment on mobile platforms
from the advertising state acts as a Slave. The connection
poses challenges to our goals. Only a few smartphone models
state serves for verifying the success of the handshake by
can broadcast BLE advertisements. In addition, few fields
exchanging a challenge and a response over the encrypted
within the advertisement packets can be controlled.
link.
iOS is fairly restrictive in terms of an application’s abil-
In section 2.2.4 we mentioned that 32-byte pseudonyms
ity to control the data that is transmitted in advertisement
are required. Because an advertisement packet cannot con-
packets. While iOS provides support for Apple’s own iBea-
tain more than 31 bytes of payload, we have to submit two
con protocol, it does not allow customizing the advertise-
packets. By using Active Scanning, the scanner can initiate
ment data, which precludes using iOS as a prototyping plat-
a Scan Request once an advertisement packet is received.
form for testing our protocol.
8 The Android framework provides the APIs necessary for
Non-resolvable random Bluetooth addresses are used for all
communication mentioned above. doing BLE advertising and scanning through BluetoothLeAd-
9
Here, advertiser and scanner are terms taken directly from vertiser and BluetoothLeScanner respectively. One particu-
the BLE specification, referring to a party in advertising lar appeal of Android is the fact that applications are pro-
state and a party in a scanning state respectively. grammed in Java, and there exists a Java library, named
JPBC [20], that implements pairing operations over elliptic-
curves. It provides the functionality we need for implement-
ing pairing-based secret handshakes.
Unfortunately, most Android phones do not currently sup-
port Bluetooth advertisement broadcasting in practice, and
we had to defer this option for now. It would be highly
useful to enable this capability in future models.
StartAdvertising
Advertiser Scanner
MemberCredentials
+ start() + role
+ start() + stop() + pseudonym
+ stop() + sendChallenge() + secret
- respondToChallenge() + handleResponse() StartScanning
done done
ment packet using its key, and if it verifies correctly, assumes Scanning Handshake 8.2%
that the handshake succeeded. It computes and encrypts
a response RespS to ChallengeA and starts advertising to Advertising Handshake 3.9%
send it to the Advertiser. Once the Advertiser receives the
response RespS , it verifies it, and if it passes, assumes that Scanning 7.5%
the handshake succeeded.
The source code of our implementation is available on Advertising 3.3%
https://github.com/ymcrcat/MASHaBLE.
Baseline 2.5%
4.3 Evaluation 0 5 10 15 20
For evaluating our implementation we created a simple
Battery Drain %
app that can broadcast, scan, and perform a secret hand-
shake with another phone running the same app.
Figure 8: Battery drain in different modes after 3 hours.
We can see that cryptographic operations add little over-
4.3.1 Functionality testing head on top of BLE energy consumption.
Our devices perform simultaneously Bluetooth advertising
and scanning. It is important to verify experimentally that
this unusual practice results in successful execution of the tisements (no advertisement is received meaning no ac-
handshake protocol with high probability. We ran our appli- tual handshake process is initiated).
cation on two Windows Phone devices, repeatedly perform-
ing handshakes between the two, for 8296 seconds (∼ 2 hours 4. Handshake Advertiser: the app, acting as an adver-
18 seconds). We performed 1 handshake every 8 seconds, re- tiser, is constantly performing handshakes with an-
sulting in a total number of 1068 handshake attempts. 1025 other phone acting as a scanner.
attempts resulted in a successful shared key establishment,
and only 43 handshake attempts have failed. The failures 5. Handshake Scanner: the app, acting as a scanner, is
were due to occasional lack of synchronization between the constantly performing handshakes with another phone
states of the two devices. Overall, in 96% of the cases the acting as an advertiser.
handshake procedure succeeded. This result suggests that We ran the experiment for 3 hours for each one of the
our protocol is fairly resistant to synchronization failures. modes, and took note of the battery drain percentage. The
results of the experiment are presented in Fig. 8. It is in-
4.3.2 Energy overhead
teresting to notice that scanning actually consumes more
We measured the energy overhead of our Windows Phone than advertising (despite the fact that advertising involves
implementation on a Nokia Lumia 920 phone. In each of transmission). This result was previously confirmed in other
the following scenarios, we started with the phone with its experiments such as [32]. The reason is the design rational
battery 100% charged, WiFi and location services off, and behind BLE modes of operation. Since it is likely that a bea-
screen dimmed to minimum brightness level: con device has to be in advertising mode for a long period
1. Baseline: the phone is not running the app. of time, it is designed for maximal energy saving. It trans-
mits a short packet each time and returns to sleep. Scanning
2. Advertising: the app is continuously publishing BLE is intended to be initiated less often. While scanning, the
advertisements of its pseudonym (no response is sent device constantly searches for beacons, performing intense
meaning no actual handshake process is initiated). processing.
The baseline we compare to is battery drain without any
3. Scanning: the app is continuously scanning for adver- activity, which was measured to be 2.5% per hour. Advertis-
ing resulted in additional 0.8% per hour. Scanning consumes the unlinkable scheme requires broadcasting two subsequent
5% per hour on top of the baseline, which is non-negligible, advertisement packets in order to transmit the pseudonym.
but nevertheless still enables almost 13 hours of operation. Having additional space in the form of the Bluetooth device
Advertising followed by handshake operations resulted in a address field enables to transmit 32-byte long credentials in
battery drain of 3.9% per hour, which enables approximately a single packet.
26 hours of operation. Finally, scanning followed by hand-
shakes resulted in a drain of 8.2% per hour, which enables 5.3 Organizational role authentication
12 hours of operation. Overall, these results are encourag- The secret handshake scheme described in 2.2 supports,
ing in the sense that they enable operation times that are with a slight modification, establishing the corresponding
on the order of what is required to be able to normally use roles of the parties within the organization, in addition to
a smartphone before recharging. proving affiliation. We do not provide the details here, but
By subtracting the results when handshakes are not per- it is described in [13]. We note, however, that the method
formed from the results when they are, we get the percentage in [13] assumes using pseudonyms which are public strings,
that the handshake logic adds on top of the power consump- to which the other party can attach an additional string
tion due to BLE scanning or advertising. In the case of indicating the role. That doesn’t settle with the unlinkable
advertising, handshakes added 0.6% per hour on top of ad- handshake scheme in 2.2.3, proposed as a countermeasure
vertising without proceeding further with the protocol. In against tracking, because it involves transmitting encodings
the case of scanning, proceeding with a handshake added of elliptic curve elements that mask the pseudonym.
0.7% on top of scanning only.
5.4 Additional applications of PbcProxy and
4.3.3 Communication overhead ported PBC library
Each advertisement packet consists of 47 bytes10 . The
PbcProxy, the glue between the .NET framework and a
handshake initiator (Alice) sends 1 packets to scanner (Bob)
C implementation of pairings compiled for the ARM proces-
containing a pseudonym. Bob sends back 1 packet with
sor, is an opening for many other Windows Phone applica-
his pseudonym and a challenge. Alice replies with 1 packet
tions that rely on pairing-based cryptography. One promi-
containing her response to Bob’s challenge and a challenge
nent application is Identity-based Encryption [17, 15, 16]. It
of her own, and finally, Bob responds to Alice’s challenge
enables encrypting sending encrypted messages to another
with 1 packet. Alice sends 47 × 2 = 94 bytes total, and Bob
party solely based on its publicly known identifier such as
sends 47 × 2 = 94 bytes. Overall we have 4 communication
an email or a phone number. For instance, a company or
rounds with 4 packets, which results in 188 bytes.
organization’s employees have each other’s contacts. Us-
Depending on Alice and Bob’s decision whether to use
ing identity-based encryption they can securely communi-
the established encrypted channel for further communica-
cate with each other without the need to exchange public
tion, e.g. exchanging messages, more data can be transmit-
keys directly. While the concept itself is not new, and even
ted. However, for all further communication, the overhead
commercialized by Voltage, the software libraries we provide
will stem solely from the Bluetooth packet structure, since
enable easy development of this application for the Windows
they use the computed symmetric key for encryption, which
Phone platform.
results in the same length as the plaintext.
5.5 Usability
5. FURTHER IMPROVEMENTS While we discuss the technical aspects of secret hand-
We propose possible enhancements to the current imple- shakes between mobile devices, usability issues were left out-
mentation. Some of them are immediately applicable, and side the scope of this work. For successful adoption of our,
some are subject to further research. or any other library and protocol, there has to be a good
understanding of how vendors and users would use this ca-
5.1 Speeding up computation pability in practice. We suggested several use cases in the
Chapter 6.11 of Lynn’s thesis [37] covers several possible introduction. It would be beneficial to validate them by
opportunities for precomputation that can speed up sub- surveying vendors and users, as well as to find additional
sequent computation of pairings. Those opportunities arise use-case scenarios.
from the fact that some of the computation steps depend en-
tirely on only one of the two inputs to the pairing. For each
handshake initiated using the same credentials, the pairing 6. RELATED WORK
G1 input is the same. Therefore, Lynn’s proposals can be We survey related work in the relevant domains, focusing
applied. Moreover, preprocessing is supported by the PBC on theoretic work applicable to our setting, and on systems
library and is part of its API. It would be beneficial to ex- projects with similar goals.
tend PbcProxy to support preprocessed pairings. Hiding the Rumor Source by Fanti et al. [22] provides mes-
sage source obfuscation by using adaptive diffusion spread-
5.2 Using BLE identifiers as pseudonyms ing. They operate under a model that assumes an adversary
As already mentioned, BLE supports using a randomized that has access to metadata, and and also to some corrupted
device address instead of the permanent public address. If nodes. Their method can be complementary to ours. If our
we could set the source device address we would be able application uses the established shared key to diffuse mes-
to use it as a pseudonym, instead of setting it in the ad- sages among society members, we can apply their scheme to
vertisement data. We saw that having 128-bit security for dictate the message diffusion policies, so that an adversary
10 that colludes with corrupted members of the secret group,
In our case we use the maximum available size for adver-
tisement packets. would not be able to identify the message source.
RevCast by Schulman et al. [42] is related to our proposal work also pertains to protecting user’s privacy, the guaran-
in the sense that it disseminates messages over a radio chan- tees provided by their Incognito system are different and are
nel11 . Thus the message transfer is independent of a central useful under different assumptions.
server. It also aims to facilitate clients’ privacy by obviating Prior work also investigated techniques for preserving pri-
requests to a server, an act that discloses a client’s interest vacy of end-users by changes of IP and MAC addresses [40,
in particular data. 38], identifier-free link layer protocol [14, 24] and short-lived
Since the scheme we have chosen [13] was proposed, there credentials or pseudonyms [30]. However, all these tech-
have been more works on the subject of secret handshakes. niques aim to ensure unlinkability only.
Some of them provide alternatives to pairing-based crypto [32] is a useful reference for understanding the intricacies
[19, 45], while others address unlinkability and more flexible of BLE scanning and advertisement. The power consump-
policies [12, 29, 34]. We discuss some of them below. tion model and design guidelines in that work can be useful
In [19] the authors propose a scheme for secret handshakes for optimizing future versions of our protocol.
based on CA-Oblivious encryption. CA-Oblivious encryp-
tion relies on providing a certificate to the user from which 7. CONCLUSION
one cannot learn about the signing authority. Its security
We propose a mobile application that enables members
proof relies on the Computational Diffie-Hellman assump-
of a secret community to discover other affiliates that are
tion (CDH). This scheme avoids using pairing-based cryp-
in proximity to their mobile device. It enables the creation
tography and can be built based on more standard PKI. This
of an authenticated and encrypted communication channel
can be useful on platforms on which it is currently difficult
over which the two members can communicate. We pro-
to run one of the existing libraries for pairing-based cryp-
vide the background needed to understand our scheme and a
tography, such as PBC or JPBC. While this scheme doesn’t
novel analysis of the technicalities related to implementing it
require pairings, more data has to be sent by the handshake
on top of a Bluetooth LE stack on a mobile device. Current
initiating party than in the scheme based on pairings that
state of BLE support poses many challenges which we exam-
only requires sending a short pseudonym. Considering the
ine. We discuss the design considerations and alternatives
very constrained amount of data we are allowed to send in an
and describe our prototype implementation of the secret
advertisement packet, the pairing-based scheme seems more
handshake scheme. The experimental evaluation of our im-
suitable for our task. Additionally, their scheme doesn’t
plementation suggests that cryptographic secret handshakes
provide unlinkability that is not based on issuing multiple
for mobile devices are highly practical. In particular, we
credentials, while the scheme of Balfanz et al. [13] is con-
show that our protocol plays well with Bluetooth LE, and
veniently transformed into an unlinkable SH scheme with
its energy overhead is acceptable for mobile devices. Finally,
reusable credentials.
we propose several ideas for further research.
Secret handshakes with dynamic and fuzzy matching, by
Ateniese et al. [12], adds the ability to specify a set of at-
tributes, required from the other party, in order for the ACKNOWLEDGMENTS
handshake to succeed. It is essentially an attribute-based We would like to thank Dan Boneh from Stanford Univer-
secret handshake scheme which also provides unlinkability sity for advice on pairing-based cryptography, identity-based
and supports roles. The authors integrated the scheme into encryption and related works, and members of the Sensing
the IPSec protocol, by extending the Internet Key Exchange and Energy Research Group at Microsoft Research: Bodhi
protocol [26]. While the scheme we chose is not the state Priyantha, for advising on Bluetooth LE and Di Wang for
of the art, as of today, it is simpler to understand, and re- helping with the mobile setup.
quires sending less data upon handshake initiation. The
applications we proposed so far can do without the addi-
tional features provided by the dynamic or fuzzy handshake
8. REFERENCES
schemes. In addition, our protocol requires performing a [1] Afterschool, http://afterschoolapp.com/app.
single bilinear pairing computation, while that scheme re-
[2] Complete keyless, www.completekeyless.com.
quires performing three pairings. However, providing addi-
tional functionality by using more novel schemes would be a [3] Connect2car, www.connect2car.com.
desirable follow-up work, as well as identifying how mobile [4] Dubbledutch.me,
applications can benefit from fuzzy attribute-based secret http://doubledutch.me/attendance-tracking.html.
handshakes. [5] Legatalk, http://legatalk.com.
Hidden Credentials by Holt et al. [27] proposes a method [6] Multiple precision integers and rationals library,
for Bob to send a message to Alice depending only on Alice’s mpir.org.
credentials, without having any credentials of his own. It is [7] Open whisper systems, https://whispersystems.org.
based on Boneh-Franklin IBE [17] which is in turn based on [8] Sharpen - Automated Java to C# coversion.
the Weil pairing. The notion of hidden credentials could be [9] Telegram messenger, https://telegram.org.
useful in case there is a messenger, who is an outsider to [10] Yik yak, https://www.yikyak.com/home.
the organization, but wants to send an encrypted message [11] ”iBeacon” technology that will make possible Internet
to any member that has a certain role or clearance in the of Things. pages 159–165. Institution of Engineering
organization. and Technology, 2014.
[33] is an example of incorporating custom identifiers in
[12] Giuseppe Ateniese, Marina Blanton, and Jonathan
the BLE MAC address, as we suggested in 5.2. While that
Kirsch. Secret handshakes with dynamic and fuzzy
11 matching. In Network and Distributed System Security
They use FM radio broadcasts to spread certificate revo-
cation updates. Symposium, pages 159–177, 2007.
[13] D. Balfanz, G. Durfee, N. Shankar, D. Smetters, [29] Stanislaw Jarecki and Xiaomin Liu. Unlinkable Secret
J. Staddon, and Hao-Chi Wong. Secret handshakes Handshakes and Key-Private Group Key Management
from pairing-based key agreements. 2003 Symposium Schemes. In Applied Cryptography and Network
on Security and Privacy, 2003., 2003. Security, volume 4521, pages 270–287. 2007.
[14] Kevin Bauer, Damon McCoy, Ben Greenstein, Dirk [30] Qi Jiang, Jianfeng Ma, Guangsong Li, and Li Yang.
Grunwald, and Douglas Sicker. Physical layer attacks An efficient ticket based authentication protocol with
on unlinkability in wireless lans. In International unlinkability for wireless access networks. Wireless
Symposium on Privacy Enhancing Technologies personal communications, 77(2):1489–1506, 2014.
Symposium, pages 108–127. Springer, 2009. [31] Antoine Joux. A one round protocol for tripartite
[15] Dan Boneh and Xavier Boyen. Secure identity based diffie–hellman. In Algorithmic number theory, pages
encryption without random oracles. In Advances in 385–393. Springer, 2000.
Cryptology–Crypto 2004, pages 443–459. Springer, [32] Philipp Kindt, Daniel Yunge, Robert Diemer, and
2004. Samarjit Chakraborty. Precise Energy Modeling for
[16] Dan Boneh, Xavier Boyen, and Eu-Jin Goh. the Bluetooth Low Energy Protocol. mar 2014.
Hierarchical identity based encryption with constant [33] Robin Kravets, Güliz Seray Tuncay, and Hari
size ciphertext. In Advances in Sundaram. For your eyes only. In Proceedings of the
Cryptology–EUROCRYPT 2005, pages 440–456. 6th International Workshop on Mobile Cloud
Springer, 2005. Computing and Services, pages 28–35. ACM, 2015.
[17] Dan Boneh and Matt Franklin. Identity-based [34] Preeti Kulshrestha and Arun Kumar. A New
encryption from the weil pairing. Advances in Unlinkable Secret Handshakes Scheme based on ZSS.
Cryptology - CRYPTO 2001, 2001. [35] Ben Lynn. Pbc benchmarks,
[18] Dan Boneh, Ben Lynn, and Hovav Shacham. Short https://crypto.stanford.edu/pbc/times.html.
signatures from the weil pairing. Advances in [36] Ben Lynn. Pbc library,
Cryptology - ASIACRYPT 2001, 2001. https://crypto.stanford.edu/pbc.
[19] Claude Castelluccia, Stanislaw Jarecki, and Gene [37] Ben Lynn. On the Implementation of Pairing-Based
Tsudik. Secret Handshakes from CA-Oblivious Cryptosystems. PhD thesis, 2007.
Encryption. In Advances in Cryptology - ASIACRYPT [38] Shrirang Mare, Jacob Sorber, Minho Shin, Cory
2004, 10th International Conference on the Theory Cornelius, and David Kotz. Hide-n-sense: preserving
and Application of Cryptology and Information privacy efficiently in wireless mhealth. Mobile
Security, Jeju Island, Korea, December 5-9, 2004, Networks and Applications, 19(3):331–344, 2014.
Proceedings, volume 3329, pages 293–307, 2004. [39] Victor S Miller. The weil pairing, and its efficient
[20] Angelo De Caro and Vincenzo Iovino. jpbc: Java calculation. Journal of Cryptology, 17(4):235–261,
pairing based cryptography. In Proceedings of the 16th 2004.
IEEE Symposium on Computers and Communications, [40] Barath Raghavan, Tadayoshi Kohno, Alex C Snoeren,
ISCC 2011, pages 850–855. IEEE, 2011. and David Wetherall. Enlisting isps to improve online
[21] Andreas Enge. Bilinear pairings on elliptic curves, privacy: Ip address mixing by default. In International
2013. Symposium on Privacy Enhancing Technologies
[22] Giulia Fanti, Peter Kairouz, Sewoong Oh, Kannan Symposium, pages 143–163. Springer, 2009.
Ramchandran, and Pramod Viswanath. Hiding the [41] Mike Ryan. Bluetooth: With Low Energy Comes Low
rumor source. arXiv preprint arXiv:1509.02849, 2015. Security. In Proceedings of the 7th USENIX
[23] Steven D. Galbraith, Kenneth G. Paterson, and Conference on Offensive Technologies, page 4, 2013.
Nigel P. Smart. Pairings for cryptographers, 2008. [42] Aaron Schulman, Dave Levin, and Neil Spring.
[24] Ben Greenstein, Damon McCoy, Jeffrey Pang, Revcast: Fast, private certificate revocation over fm
Tadayoshi Kohno, Srinivasan Seshan, and David radio. In Proceedings of the 2014 ACM SIGSAC
Wetherall. Improving wireless privacy with an Conference on Computer and Communications
identifier-free link layer protocol. In Proceedings of the Security, pages 799–810. ACM, 2014.
6th international conference on Mobile systems, [43] Renwang Su. On the security of a novel and efficient
applications, and services, pages 40–53. ACM, 2008. unlinkable secret handshakes scheme. IEEE
[25] Jie Gu and Zhi Xue. An Improved Efficient Secret Communications Letters, 13(9):712–713, sep 2009.
Handshakes Scheme with Unlinkability. IEEE [44] Kevin Townsend, Carles Cufi, and Robert Davison.
Communications Letters, 15(2):259–261, feb 2011. Getting Started with Bluetooth Low Energy, 2014.
[26] Dan Harkins and Dave Carrel. Rfc 2409: The internet [45] Damien Vergnaud. RSA-Based Secret Handshakes.
key exchange (ike), november 1998. Status: Proposed pages 252–274. 2006.
Standard. [46] Eun-Jun Yoon. Cryptanalysis of an Efficient Secret
[27] Jason E. Holt, Robert W. Bradshaw, Kent E. Handshakes Scheme with Unlinkability. Procedia
Seamons, and Hilarie Orman. Hidden Credentials. Engineering, 24:128–132, 2011.
Proceeding of the ACM workshop on Privacy in the [47] Taek-Young Youn and Young-Ho Park. Security
electronic society - WPES ’03, page 1, 2003. analysis of an unlinkable secret handshakes scheme.
[28] Hai Huang and Zhenfu Cao. A Novel and Efficient IEEE Communications Letters, 14(1):4–5, jan 2010.
Unlinkable Secret Handshakes Scheme. Ieee
Communications Letters, 13(5):363–365 ST – A Novel
and Efficient Unlinkable Sec, 2009.